Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5fe87241 authored by Brian C. Young's avatar Brian C. Young
Browse files

Add "Unlocked device required" parameter to keys 

Add a keymaster parameter for keys that should be inaccessible when
the device screen is locked. "Locked" here is a state where the device
can be used or accessed without any further trust factor such as a
PIN, password, fingerprint, or trusted face or voice.

This parameter is added to the Java keystore interface for key
creation and import, as well as enums specified by and for the native
keystore process.

Test: go/asym-write-test-plan

Bug: 67752510

Change-Id: I466dfad3e2e515c43e68f08e0ec6163e0e86b933
parent 406406fb

keymaster/4.0/support/include/keymasterV4_0/keymaster_tags.h

+17 −11
Original line number Diff line number Diff line
@@ -142,23 +142,27 @@ DECLARE_TYPED_TAG(ROOT_OF_TRUST); 
DECLARE_TYPED_TAG(RSA_PUBLIC_EXPONENT);

DECLARE_TYPED_TAG(TRUSTED_CONFIRMATION_REQUIRED);

DECLARE_TYPED_TAG(UNIQUE_ID);

DECLARE_TYPED_TAG(UNLOCKED_DEVICE_REQUIRED);

DECLARE_TYPED_TAG(USAGE_EXPIRE_DATETIME);

DECLARE_TYPED_TAG(USER_AUTH_TYPE);

DECLARE_TYPED_TAG(USER_ID);

DECLARE_TYPED_TAG(USER_SECURE_ID);



template <typename... Elems>

struct MetaList {};



using all_tags_t = MetaList<

    TAG_INVALID_t, TAG_KEY_SIZE_t, TAG_MAC_LENGTH_t, TAG_CALLER_NONCE_t, TAG_MIN_MAC_LENGTH_t,

    TAG_RSA_PUBLIC_EXPONENT_t, TAG_INCLUDE_UNIQUE_ID_t, TAG_ACTIVE_DATETIME_t,

    TAG_ORIGINATION_EXPIRE_DATETIME_t, TAG_USAGE_EXPIRE_DATETIME_t, TAG_MIN_SECONDS_BETWEEN_OPS_t,

    TAG_MAX_USES_PER_BOOT_t, TAG_USER_SECURE_ID_t, TAG_NO_AUTH_REQUIRED_t, TAG_AUTH_TIMEOUT_t,

    TAG_ALLOW_WHILE_ON_BODY_t, TAG_APPLICATION_ID_t, TAG_APPLICATION_DATA_t,

    TAG_CREATION_DATETIME_t, TAG_ROLLBACK_RESISTANCE_t, TAG_ROOT_OF_TRUST_t, TAG_ASSOCIATED_DATA_t,

    TAG_NONCE_t, TAG_BOOTLOADER_ONLY_t, TAG_OS_VERSION_t, TAG_OS_PATCHLEVEL_t, TAG_UNIQUE_ID_t,

    TAG_ATTESTATION_CHALLENGE_t, TAG_ATTESTATION_APPLICATION_ID_t, TAG_RESET_SINCE_ID_ROTATION_t,

    TAG_PURPOSE_t, TAG_ALGORITHM_t, TAG_BLOCK_MODE_t, TAG_DIGEST_t, TAG_PADDING_t,

using all_tags_t =

    MetaList<TAG_INVALID_t, TAG_KEY_SIZE_t, TAG_MAC_LENGTH_t, TAG_CALLER_NONCE_t,

             TAG_MIN_MAC_LENGTH_t, TAG_RSA_PUBLIC_EXPONENT_t, TAG_INCLUDE_UNIQUE_ID_t,

             TAG_ACTIVE_DATETIME_t, TAG_ORIGINATION_EXPIRE_DATETIME_t, TAG_USAGE_EXPIRE_DATETIME_t,

             TAG_MIN_SECONDS_BETWEEN_OPS_t, TAG_MAX_USES_PER_BOOT_t, TAG_USER_ID_t,

             TAG_USER_SECURE_ID_t, TAG_NO_AUTH_REQUIRED_t, TAG_AUTH_TIMEOUT_t,

             TAG_ALLOW_WHILE_ON_BODY_t, TAG_UNLOCKED_DEVICE_REQUIRED_t, TAG_APPLICATION_ID_t,

             TAG_APPLICATION_DATA_t, TAG_CREATION_DATETIME_t, TAG_ROLLBACK_RESISTANCE_t,

             TAG_ROOT_OF_TRUST_t, TAG_ASSOCIATED_DATA_t, TAG_NONCE_t, TAG_BOOTLOADER_ONLY_t,

             TAG_OS_VERSION_t, TAG_OS_PATCHLEVEL_t, TAG_UNIQUE_ID_t, TAG_ATTESTATION_CHALLENGE_t,

             TAG_ATTESTATION_APPLICATION_ID_t, TAG_RESET_SINCE_ID_ROTATION_t, TAG_PURPOSE_t,

             TAG_ALGORITHM_t, TAG_BLOCK_MODE_t, TAG_DIGEST_t, TAG_PADDING_t,

             TAG_BLOB_USAGE_REQUIREMENTS_t, TAG_ORIGIN_t, TAG_USER_AUTH_TYPE_t, TAG_EC_CURVE_t>;



template <typename TypedTagType>
@@ -343,6 +347,7 @@ inline bool operator==(const KeyParameter& a, const KeyParameter& b) { 
        case Tag::BOOTLOADER_ONLY:

        case Tag::NO_AUTH_REQUIRED:

        case Tag::ALLOW_WHILE_ON_BODY:

        case Tag::UNLOCKED_DEVICE_REQUIRED:

        case Tag::ROLLBACK_RESISTANCE:

        case Tag::RESET_SINCE_ID_ROTATION:

        case Tag::TRUSTED_CONFIRMATION_REQUIRED:
@@ -357,6 +362,7 @@ inline bool operator==(const KeyParameter& a, const KeyParameter& b) { 
        case Tag::OS_VERSION:

        case Tag::OS_PATCHLEVEL:

        case Tag::MAC_LENGTH:

        case Tag::USER_ID:

        case Tag::AUTH_TIMEOUT:

        case Tag::VENDOR_PATCHLEVEL:

        case Tag::BOOT_PATCHLEVEL:

keymaster/4.0/types.hal

+6 −1
Original line number Diff line number Diff line
@@ -118,7 +118,8 @@ enum Tag : uint32_t { 
                                                       * boot. */



    /* User authentication */

    // 500-501 reserved

    // 500 reserved

    USER_ID = TagType:UINT | 501,             /* Android ID of authorized user or authenticator(s), */

    USER_SECURE_ID = TagType:ULONG_REP | 502, /* Secure ID of authorized user or authenticator(s).

                                               * Disallowed if NO_AUTH_REQUIRED is present. */

    NO_AUTH_REQUIRED = TagType:BOOL | 503,    /* If key is usable without authentication. */
@@ -191,6 +192,9 @@ enum Tag : uint32_t { 
     * match the data described in the token, keymaster must return NO_USER_CONFIRMATION. */

    TRUSTED_CONFIRMATION_REQUIRED = TagType:BOOL | 508,



    UNLOCKED_DEVICE_REQUIRED = TagType:BOOL | 509, /* Require the device screen to be unlocked if

                                                    * the key is used. */



    /* Application access control */

    APPLICATION_ID = TagType:BYTES | 601, /* Byte string identifying the authorized application. */
@@ -471,6 +475,7 @@ enum ErrorCode : int32_t { 
    PROOF_OF_PRESENCE_REQUIRED = -69,

    CONCURRENT_PROOF_OF_PRESENCE_REQUESTED = -70,

    NO_USER_CONFIRMATION = -71,

    DEVICE_LOCKED = -72,



    UNIMPLEMENTED = -100,

    VERSION_MISMATCH = -101,